This is in Grouper 2.2 UI.  btw, Ive heard this does not work with IE8.


Set this in for enhanced logging  = DEBUG


If you are using nginx make sure to set this setting

underscores_in_headers on;

Configure more URLs to protect

If you have logic running (other than what is built in to Grouper) in the Grouper UI application (this is not common), you can add CSRF protection in the

# If you have logic running from the Grouper webapp, put some comma-separated URL patterns, starting with slash
# and after the context, e.g. /grouperExternal/public/UiV2Public.index
# ${valueType: "string"}
csrfguard.extraFilterPatterns = 


If a request is made that is protected and the CSRF token is not present, an error will occur

You can see a log in the UI of what the request was:

2021-05-16 10:34:09,309: [http-nio-8400-exec-10] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:GrouperSystem, ip:0:0:0:0:0:0:0:1, method:GET, uri:/grouper/grouperUi/app/UiV2Main.gif, error:required token is missing from the request)

You can unprotect URLs from CSRF in the file (append to this file in a container script hook)

  • No labels